I've been trying to get IT Auditors and the Audit community in general to apply 
the same
due dilligence to operating systems (infrastructure or general controls) that 
they apply
to applications systems testing.

I'm not aware of anyone in the IT Audit community doing OS audits - to verify 
that the
systems work as advertised and do not fail where they should not.   I become 
quite aware
of this a few years ago when I was in a group doing Penetraiton Testing of an 
OS and
discovered many flaws.

Why don't auditors audit the OS?  I, frankly, don't know. 

But Auditors do have the ear of upper management and they could be the ones 
indicating the
weaknessed in the infrastructure that puts the organization at risk. 

We wouldn't put in a new payroll system without verifying that it works 
properly.  Yet
we're more than willing to unpackage and plug in a desktop computer without the 
same due
dilligence.  Why?    It's beyond me.  

Perhaps if more people were asking the right questions to the right people ...  

Why we've come to accept the CTL_ALT_DEL 'three finger salute' as SOP is beyond 

Of course the issues above aren't limited to one particular OS.  There are 
plenty of
problems to go around.
(see the work done at Univ of Wisconsin - the Fuzz Testing project 
http://www.cs.wisc.edu/~bart/fuzz/fuzz.html )

Mike Hines
Michael S Hines

Reply via email to